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In the claims: 

All claims presented for examination are listed below. 

1 , (Currently amended) A method for a second operation of authenticating a user and 
securing an online transaction over a telephone, comprising: 

(a) providing a card reader connecting a smart card to a telephone; 

(b) transmitting from the smart card at least an identification sequence for the user 
to an rVR server connected to a telephone line in the form of a modulated signal; 

(c) demodulating the identification sequence at the IVR server, and 

(d) authenticating the user and the transaction at an application server receiving 
tiie demodulated identification sequence fi'om the IVR server over a communication 
network wherein data processing required for generating, transmitting and authenticating 
the user occur without data processing assistance from the card reader. 

2, (Previously presented) The method of claim 1, wherein the identification sequence 
comprises at least a unique card number and a random number, the random number valid 
only once. 

3, (Previously presented) The method as in claim 2, wherein the random number is a 
session key (Ki) which is not transmitted to the authentication server. 

4, (Currently amended) The method as in claim 3, wherein the session key (Ki) is a 
function of a previous [[one]] (Ki-1) emitted by the card as: Ki G(Ki-l)5 G is a one-way 

function wherein (Ki-1) is known by the authentication server, 

5, (Currentiy amended) The method of claim 4, wherein the session key (Ki) is used by 
[[the]] an IVR applet to encrypt a PIN entered by the user; wherein [[an]] the encryption 
eede is transmitted to the authentication server along with the card number. 
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6. (Previously presented) The method of claim 5, wherein the authentication server 

decrypts the encryption code to retrieve the user PIN, using a session key deduced from 
the (Ki-l) stored in a database at the authentication server 

7. (Previously presented) The method of claim 6, wherein the authentication is valid only 
if the decrypted PIN and the PIN stored in the database are identical; if this is the case, the 
authentication server replaces (Ki-l) by (Ki) in the database and (Ki) cannot be reused. 

8-13. (Canceled) 

14. (Currently amended) A system for authenticating a user and securing online 
transactions for a user over a telephone, comprising; 

a card reader connected to the telephone and the telephone connected to a 
telephone line; 

a smart card connected to the card reader for transmitting at least an identification 
sequence for the user; 

an rVR server connected to the telephone line; and 

an application server connected to the IVR server over a communication network; 

wherein the application server systea authenticates the user and the online 
transactions by the application server which receives receiving t he demodulated 
identification sequence from the IVR server over a communication network and compares 
the received identification sequence with identification information in a database 
acc e ssibl e to th e us e r and all of the data processing required to transmit information and 
authenticate the user occurs outside of the card reader. 

15, (Previously presented) The system of claim 14, wherein the identification sequence 
comprises at least a unique card number and a random number valid only once. 
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16. (Currently amended) The system of claim 14, wherein the random number is a session 
key (Ki) which is not transmitted to the authentieation application server. 

17. (Currently amended) The system of claim 14, wherein [[the]] a_session key (Ki) is a 
function of a previous [[one]] (Ki-1) emitted by the card such as: Ki G(Ki-l), G is a one- 
way function, wherein (Ki- 1 ) is known by the anthent - t e a t t&a application server. 

18. (Currently amended) The system of claim [[14]] J/Z, wherein the session key (Ki) is 
used by [[the]] an IVR applet to encrypt a PIN entered by the user; said encryption eede is 
transmitted to the authentication application server along with the card number. 

19. (Currently amended) The system of claim [[14]] 18, wherein the authentication 
application server decrypts the encryption cod e to retrieve the user PIN, using a session 
key deduced from the previous [[one]] (Ki-1) stored iti a database at the authentication 
server* 

20. (Currently amended) The system of claim [[14]] 19, wherein the authentication is 
valid only if the decrypted PIN and the PIN stored in the database are identical; if this is 
the case, the authentication application server replaces (Ki-1) by (Ki) in the database and 
(Ki) cannot be reused. 

21 . (Previously presented) The system of claim 14, wherein the smart card is powered by 
the voltage provided by the telephone line. 

22. (Previously presented) The system of claim 14, wherein the smart card transmits the 
modulated signal to the telephone line through an ISO contact. 

23. (Previously presented) The system of claim 14, wherein the card reader is ftirther 
integrated into the telephone handset. 



